Chronicle Releases Backstory

They’re doing a cloud-based offering that is priced by your employee count rather than data usage, and that’s tens, hundreds, or even thousands of times faster than existing solutions.

It’s basically using all the Google magic secret sauce regarding scalability and speed, to do super fast correlation of malicious behavior for an enterprise’s data.

They just launched, but they’re already getting a ton of partnerships.

The key is the ability to go backwards, which is a play on Chronicle and Backstory, which is cute.

They are keeping all your data (I think indefinitely?) and letting you say things like,

We just learned about this APT, which uses this one domain, which we happened to notice that someoene else on your network went to 14 months ago, and it was Julie, and here’s everything else she’s done since then, and everyone else who’s been to that domain.

Oh, and in 250ms.

This and the next tool are definitely the biggest disruptors I saw at the show.

SentinelOne Previews Ranger

SentinelOne is—according to what I’ve seen with multiple customers—the top endpoint protection product, and what they showed at RSA is a new tool called Ranger that allows their installed agents to look laterally at what else is on the network.

So it’s asset discovery using their existing sensors as opposed to installing a bunch of taps or gateways.

It’s super interesting because it’s getting directly into Tanium’s world, which is all about visibility and management.

Ghidra release by NSA

I was in the talk where NSA released Ghidra, and I thought it was quite interesting.

As I wrote after the announcement for the talk, I thought the whole thing was basically a well-meaning PR stunt. That is, a PR stunt for all the right reasons. So, more like a gesture of kindness.

And that was spot on.

What I found interesting about the tool—and the thing that made all the difference—is that Ghidra was not a new tool that they just released for some good press. Oh, no. It’s the primary tool they themselves use, and have been using for years.

The undisputed king of reverse engineering tools has been IDA Pro forever, but with this release the market has instantly changed.

Not only is Ghidra free, while IDA Pro is multiple thousands of dollars, but it actually has many unique features that even IDA doesn’t have.

There’s a back button for changes that won’t mess up your entire session

There is support for many platforms

There’s a decompiler that can go from binary to C pseudocode

There are collaboration features

…and these are just a few of the differences.

Ghidra instantly became the one and only true competitor for IDA Pro, and in many ways it’s far superior.

This couldn’t have come at a better time, because I’m about to learn some basic RE myself.

It’s quite impressive actually, and I can’t wait to dive into some basic RE CTF challenges.

Summary

Solid show, for what it is.

If you come to RSA thinking you’re at Gartner Security, or reInvent, or DEFCON, you’ll be sad.

But if you see it as a chance to see old friends and learn what the industry is doing, it can be enjoyed.